After you initialize KDC in VMware Identity Manager, you must create public DNS records to allow the Kerberos clients to find the KDC when the built-in Kerberos authentication feature is enabled.

The KDC realm name is used as part of the DNS name for the VMware Identity Manager appliance entries that are used to discover the KDC service. Two DNS records are required for each VMware Identity Manager site and two address entries.

Note: An AAAA record is required for devices running on iOS 9 or are using T-Mobile as the carrier. The AAAA entry value is an IPv6 address that encodes an IPv4 address. If the KDC is not addressable via IPv6 and an IPv4 address is used, the AAAA entry might have to be specified in strict IPv6 notation as ::ffff:175c:e147 on the DNS server. You can use an IPv4 to IPv6 conversion tool, such as one available from Neustar.UltraTools, to convert IPv4 to IPv6 address notation.

DNS Record Entries for KDC

In this example DNS record, the realm is EXAMPLE.COM; the VMware Identity Manager fully qualified domain name is, and the VMware Identity Manager IP address               1800 IN  A                 1800 IN  AAAA         ::ffff:
_kerberos._tcp.idm.EXAMPLE.COM          IN  SRV  10  0   88
_kerberos._udp.idm.EXAMPLE.COM          IN  SRV  10  0   88